Resources for the Check Point Community, by the Check Point Community.

Tim Hall has done it again! He has just released the 2nd edition of "Max Power".Rather than get into details here, I urge you to check out this announcement post. It's a massive upgrade, and well worth checking out. -E

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

SSL/TLS Inspection for FTPS Connections

Hello,

Anyone achieved SSL/TLS Inspection on a securing gateway for FTPS connections (FTP over SSL/TLS, not SFTP)? is this possible?

There are various protections in IPS blade regarding FTP, but since most file transfers in production environments are encrypted, those protections do not work without a way for the gateway to observe the data decrypted.

I tried to add a rule in HTTPS inspection policy including the server's certificate/private key, but the connection cannot be established at all. Without inspecting the connection, file transfers work fine.

Re: SSL/TLS Inspection for FTPS Connections

Thanks for the info.

For this specific case it has to be FTPS. We don't have an option.

However, in case of SFTP the IPS still cannot see the traffic decrypted right?

Do you consider SFTP more secure than FTPS? The problem with SFTP is that because it works over SSH, in case the service is not configured correctly (or in case there is a vulnerability), the client can get command-line access on the Operating System itself.

Re: SSL/TLS Inspection for FTPS Connections

Originally Posted by Dave365

Thanks for the info.

For this specific case it has to be FTPS. We don't have an option.

However, in case of SFTP the IPS still cannot see the traffic decrypted right?

Do you consider SFTP more secure than FTPS? The problem with SFTP is that because it works over SSH, in case the service is not configured correctly (or in case there is a vulnerability), the client can get command-line access on the Operating System itself.

Any thoughts?

Thanks,

I would would say either is just as secure and either can be misconfigured and have very bad things happen.